Audit Token Formats

Each audit token has a token type identifier, which is followed by data
that is specific to the token. Each token type has its own
format. The following table shows the token names with a brief description of
each token. Obsolete tokens are maintained for compatibility with previous Solaris releases.

An audit record always begins with a header token. The header token indicates
where the audit record begins in the audit trail. In the case of
attributable events, the subject and the process tokens refer to the values of
the process that caused the event. In the case of nonattributable events, the
process token refers to the system.

acl Token

The acl token records information about Access Control Lists (ACLs).

The acl token consists of four fixed fields:

A token ID that identifies this token as an acl token

A field that specifies the ACL type

An ACL value field

A field that lists the permissions associated with this ACL

The praudit -x command shows the fields of the acl token:

<acl type="1" value="root" mode="6"/>

arbitrary Token (Obsolete)

The arbitrary token encapsulates data for the audit trail. This token consists of
four fixed fields and an array of data. The fixed fields are as
follows:

A token ID that identifies this token as an arbitrary token

A suggested print format field, such as hexadecimal

An item size field that specifies the size of the data that is encapsulated, such as short

A count field that provides the number of following items

The remainder of the token is composed of count of the specified type.
The praudit command displays the arbitrary token as follows:

arbitrary,decimal,int,1
42

The following table shows the possible values of the print format field.

Table 31-5 Values for the arbitrary Token's Print Format Field

Value

Action

AUP_BINARY

Prints the
date in binary format

AUP_OCTAL

Prints the date in octal format

AUP_DECIMAL

Prints the date in
decimal format

AUP_HEX

Prints the date in hexadecimal format

AUP_STRING

Prints the date as a string

The following table shows the possible values of the item size field.

Table 31-6 Values for the arbitrary Token's Item Size Field

Value

Action

AUR_BYTE

Data
is printed in units of bytes in 1 byte

AUR_SHORT

Data is printed in
units of shorts in 2 bytes

AUR_LONG

Data is printed in units of longs
in 4 bytes

arg Token

The arg token contains information about the arguments to a system call: the
argument number of the system call, the argument value, and an optional description.
This token allows a 32-bit integer system-call argument in an audit record.

The arg token has five fields:

A token ID that identifies this token as an arg token

An argument ID that tells which system call argument that the token refers to

The argument value

The length of the descriptive text string

The text string

The praudit -x command shows the fields of the arg token:

<argument arg-num="2" value="0x0" desc="new file uid"/>

attribute Token

The attribute token contains information from the file vnode.

The attribute token has seven fields:

A token ID that identifies this token as an attribute token

The file access mode and type

The owner user ID

The owner group ID

The file system ID

The node ID

The device ID that the file might represent

For further information about the file system ID and the device ID, see
the statvfs(2) man page.

The attribute token usually accompanies a path token. The attribute token is produced
during path searches. If a path-search error occurs, there is no vnode available
to obtain the necessary file information. Therefore, the attribute token is not included as
part of the audit record. The praudit -x command shows the fields of the
attribute token:

Note - The exec_env token is output only when the arge audit policy option
is active.

exit Token (Obsolete)

The exit token records the exit status of a program. The exit token
contains the following fields:

A token ID that identifies this token as an exit token

A program exit status as passed to the exit() system call

A return value that describes the exit status or that provides a system error number

The praudit command displays the exit token as follows:

exit,Error 0,0

file Token

The file token is a special token that is generated by the auditd
daemon. The token marks the beginning of a new audit file and the
end of an old audit file as the old file is deactivated. The
initial file token identifies the previous file in the audit trail. The final
file token identifies the next file in the audit trail. The auditd daemon
builds a special audit record that contains this token to “link” together successive audit
files into one audit trail.

The praudit -x command shows the fields of the file token. This token
identifies the next file in the audit trail. The line is wrapped for
display purposes.

ip_addr Token

The ip_addr token contains an Internet Protocol address. Since the Solaris 8 release,
the Internet address can be displayed in IPv4 format or IPv6 format. The
IPv4 address uses 4 bytes. The IPv6 address uses 1 byte to describe
the address type, and 16 bytes to describe the address.

The in_addr token has three fields:

A token ID that identifies this token as an in_addr token

The IP address type, either IPv4 or IPv6

An IP address

The praudit -x command shows the content of the ip_addr token:

<ip_address>machine1</ip_address>

ip Token (Obsolete)

The ip token contains a copy of an Internet Protocol header. The ip
token has two fields:

A token ID that identifies this token as an ip token

A copy of the IP header, that is, all 20 bytes

The praudit command displays the ip token as follows:

ip address,0.0.0.0

The IP header structure is defined in the /usr/include/netinet/ip.h file.

ipc Token

The ipc token contains the System V IPC message handle, semaphore handle, or
shared-memory handle that is used by the caller to identify a particular IPC
object.

The ipc token has three fields:

A token ID that identifies this token as an ipc token

A type field that specifies the type of IPC object

The handle that identifies the IPC object

Note - The IPC object identifiers violate the context-free nature of the Oracle Solaris audit
tokens. No global “name” uniquely identifies IPC objects. Instead, IPC objects are identified
by their handles. The handles are valid only during the time that the
IPC objects are active. However, the identification of IPC objects should not be
a problem. The System V IPC mechanisms are seldom used, and the mechanisms
all share the same audit class.

The following table shows the possible values for the IPC object type field.
The values are defined in the /usr/include/bsm/audit.h file.

Table 31-7 Values for the IPC Object Type Field

Name

Value

Description

AU_IPC_MSG

1

IPC message object

AU_IPC_SEM

2

IPC semaphore
object

AU_IPC_SHM

3

IPC shared-memory object

The praudit -x command shows the fields of the ipc token:

<IPC ipc-type="shm" ipc-id="15"/>

ipc_perm Token

The ipc_perm token contains a copy of the System V IPC access permissions.
This token is added to audit records that are generated by IPC shared-memory
events, IPC semaphore events, and IPC message events.

The ipc_perm token has eight fields:

A token ID that identifies this token as an ipc_perm token

The user ID of the IPC owner

The group ID of the IPC owner

The user ID of the IPC creator

The group ID of the IPC creator

The access mode of the IPC

The sequence number of the IPC

The IPC key value

The praudit -x command shows the fields of the ipc_perm token. The line
is wrapped for display purposes.

The values are taken from the ipc_perm structure that is associated with the
IPC object.

iport Token

The iport token contains the TCP or UDP port address.

The iport token has two fields:

A token ID that identifies this token as an iport token

The TCP or UDP port address

The praudit command displays the iport token as follows:

ip port,0xf6d6

opaque Token (Obsolete)

The opaque token contains unformatted data as a sequence of bytes. The opaque
token has three fields:

A token ID that identifies this token as an opaque token

A byte count of the data

An array of byte data

The praudit command displays the opaque token as follows:

opaque,12,0x4f5041515545204441544100

path Token

The path token contains access path information for an object.

The path token contains the following fields:

A token ID that identifies this token as an path token

The path length

The absolute path to the object that is based on the real root of the system

The praudit command displays the path token, without the second field, as
follows:

path,/etc/security/audit_user

The praudit -x command shows the content of the path token:

<path>/etc/security/prof_attr</path>

The following figure shows the format of a path token.

Figure 31-4 path Token Format

path_attr Token

The path_attr token contains access path information for an object. The access path
specifies the sequence of attribute file objects below the path token object. Systems
calls such as openat() access attribute files. For more information on attribute
file objects, see the fsattr(5) man page.

The path_attr token contains the following fields:

A token ID that identifies this token as a path_attr token

A count that represents the number of sections of attribute file paths

count null-terminated strings

The praudit command displays the path_attr token as follows:

path_attr,1,attr_file_name

privilege Token

The privilege token records the use of privileges on a process. The privilege
token is not recorded for privileges in the basic set. If a privilege
has been removed from the basic set by administrative action, then the use
of that privilege is recorded. For more information on privileges, see Privileges (Overview)

The privilege token contains the following fields:

A token ID that identifies this token as a privilege token

The length of the following field

The name of privilege set

The length of the following field

The list of privileges

The praudit -x command shows the fields of the privilege token. The line
is wrapped for display purposes.

process Token

The process token contains information about a user who is associated with a
process, such as the recipient of a signal.

The process token has nine fields:

A token ID that identifies this token as a process token

The audit ID

The effective user ID

The effective group ID

The real user ID

The real group ID

The process ID

The audit session ID

A terminal ID that consists of a device ID and a machine address

The audit ID, user ID, group ID, process ID, and session ID are
long instead of short.

Note - The process token fields for the session ID, the real user ID, or
the real group ID might be unavailable. The value is then set to
-1.

Any token that contains a terminal ID has several variations. The praudit command hides
these variations. So, the terminal ID is handled the same way for
any token that contains a terminal ID. The terminal ID is either an
IP address and port number, or a device ID. A device ID, such
as the serial port that is connected to a modem, can be zero.
The terminal ID is specified in one of several formats.

The terminal ID for device numbers is specified as follows:

32-bit applications – 4-byte device number, 4 bytes unused

64-bit applications – 8-byte device number, 4 bytes unused

In releases prior to the Solaris 8 release, the terminal ID for
port numbers is specified as follows:

32-bit applications – 4-byte port number, 4-byte IP address

64-bit applications – 8-byte port number, 4-byte IP address

Since the Solaris 8 release, the terminal ID for port numbers is
specified as follows:

return Token

The return token contains the return status of the system call (u_error) and
the process return value (u_rval1).

The return token has three fields:

A token ID that identifies this token as a return token

The error status of the system call

The return value of the system call

The return token is always returned as part of kernel-generated audit records for
system calls. In application auditing, this token indicates exit status and other return
values.

The praudit command displays the return token for a system call as follows:

return,failure: Operation now in progress,-1

The praudit -x command shows the fields of the return token:

<return errval="failure: Operation now in progress" retval="-1/">

sequence Token

The sequence token contains a sequence number. The sequence number is incremented every
time an audit record is added to the audit trail. This token is
useful for debugging.

The sequence token has two fields:

A token ID that identifies this token as a sequence token

A 32-bit unsigned long field that contains the sequence number

The praudit command shows the field of the sequence token:

sequence,1292

The praudit -x command shows the content of the sequence token:

<sequence seq-num="1292"/>

Note - The sequence token is output only when the seq audit policy option
is active.

socket Token

The socket token contains information that describes an Internet socket. In some instances,
the token has four fields:

A token ID that identifies this token as a socket token

A socket type field that indicates the type of socket referenced, either TCP, UDP, or UNIX

The local port

The local IP address

The praudit command displays this instance of the socket token as follows:

socket,0x0002,0x83b1,localhost

In most instances, the token has eight fields:

A token ID that identifies this token as a socket token

The socket domain

A socket type field that indicates the type of socket referenced, either TCP, UDP, or UNIX

The local port

The address type, either IPv4 or IPv6

The local IP address

The remote port

The remote IP address

Since the Solaris 8 release, the Internet address can be displayed in
IPv4 format or IPv6 format. The IPv4 address uses 4 bytes. The IPv6
address uses 1 byte to describe the address type, and 16 bytes to
describe the address.

subject Token

The subject token describes a user who performs or attempts to perform an
operation. The format is the same as the process token.

The subject token has nine fields:

A token ID that identifies this token as a subject token

The audit ID

The effective user ID

The effective group ID

The real user ID

The real group ID

The process ID

The audit session ID

A terminal ID that consists of a device ID and a machine IP address

The audit ID, user ID, group ID, process ID, and session ID are
long instead of short.

Note - The subject token fields for the session ID, the real user ID, or
the real group ID might be unavailable. The value is then set to
-1.

Any token that contains a terminal ID has several variations. The praudit command hides
these variations. So, the terminal ID is handled the same way for
any token that contains a terminal ID. The terminal ID is either an
IP address and port number, or a device ID. A device ID, such
as the serial port that is connected to a modem, can be zero.
The terminal ID is specified in one of several formats.

The terminal ID for device numbers is specified as follows:

32-bit applications – 4-byte device number, 4 bytes unused

64-bit applications – 8-byte device number, 4 bytes unused

In releases prior to the Solaris 8 release, the terminal ID for
port numbers is specified as follows:

32-bit applications – 4-byte port number, 4-byte IP address

64-bit applications – 8-byte port number, 4-byte IP address

Since the Solaris 8 release, the terminal ID for port numbers is
specified as follows:

trailer Token

The two tokens, header and trailer, are special in that they distinguish the
end points of an audit record and bracket all the other tokens. A
header token begins an audit record. A trailer token ends an audit record.
The trailer token is an optional token. The trailer token is added as
the last token of each record only when the trail audit policy option
has been set.

When an audit record is generated with trailers turned on, the auditreduce command can
verify that the trailer correctly points back to the record header. The
trailer token supports backward seeks of the audit trail.

The trailer token has three fields:

A token ID that identifies this token as a trailer token

A pad number to aid in marking the end of the record

The total number of characters in the audit record, including both the header and trailer tokens

The praudit command displays the trailer token as follows:

trailer,136

uauth Token

The uauth token records the use of authorization with a command or action.

The uauth token contains the following fields:

A token ID that identifies this token as a uauth token

The length of the text in the following field

A list of authorizations

The praudit command displays the uauth token as follows:

use of authorization,solaris.admin.printer.delete

upriv Token

The upriv token records the use of privilege with a command or action.

The praudit -x command shows the fields of the upriv token:

<use_of_privilege result="successful use of priv">proc_setid</use_of_privilege>

zonename Token

The zonename token records the zone in which the audit event occurred. The
string “global” indicates audit events that occur in the global zone.